The US Army has increasingly used small consumer drones in the field, purchasing them as needed from consumer manufacturers like the well-known Chinese maker DJI. But documents indicate that the Army Aviation Directorate is now enforcing new orders, banning DJI drones “due to increased awareness of cyber vulnerabilities associated with DJI products.”
The documents, first obtained by Small UAS News, don’t explain the Army’s security concern, but refer to classified studies about DJI drones that first went out at the end of May. Previously, hackers have been able to jailbreak some DJI drones to control and modify things like safety features on the devices. Some reports have also indicated that DJI can gather location, audio, and even visual data from user flights. It's unclear what data DJI can access without customer consent, but location and media data from an Army drone could potentially reveal extensive information about US military operations. Even if the Army isn't specifically concerned about DJI or the Chinese government accessing this data, it may be worried that other parties could intercept any data linked to DJI.
An Army spokesperson told WIRED in a statement, “We can confirm that guidance was issued; however, we are currently reviewing the guidance and cannot comment further at this time.” The guidance points to two US military reports, one from the Army Research Laboratory titled “DJI UAS Technology Threat and User Vulnerabilities” and one from the Navy called “Operational Risks with Regards to DJI Family of Products."
DJI has said in the past that it doesn’t track devices, and can’t access unit audio or video feeds. But the company is at least able to make its drones comply with no fly zones around the world, one of the administrative capabilities that has motivated customers to hack the drones in the past. Drone owners have even developed jailbreaks for DJI devices so they can override safety controls like flight elevation maximums. DJI says that how much information it can access about a particular user hinges on what data sharing that customer has granted, particularly through DJI mobile apps. An April 2016 privacy policy notes that “DJI Products and Services connect to servers hosted in the United States, China, and Hong Kong.”
“DJI makes civilian drones for peaceful purposes,” a DJI spokesperson said in a statement. “We do not market our products for military customers, and if military members choose to buy and use our products as the best way to accomplish their tasks, we have no way of knowing who they are or what they do with them. The US Army has not explained why it suddenly banned the use of DJI drones and components, what ‘cyber vulnerabilities’ it is concerned about, or whether it has also excluded drones made by other manufacturers.”
Though the Army’s specific concerns about DJI remain unknown, the situation is reminiscent of mounting international suspicion over state use of consumer products developed abroad. These tensions have particularly escalated between the US and Russia in the past few years, with Moscow routinely demanding access to software source code to check security products from US companies like IBM and Cisco. Recently the US government has angled for similar access from the Russian antivirus maker Kaspersky Lab. Cybersecurity defense tools would be a particular liability if they were sabotaged by foreign adversaries, but any digital product that generates or accesses sensitive data—like, say, a military drone—is a potential weakness.
Although DJI is a Chinese company, the Army may be more concerned about broad exposure to data hijacking, if the wording of the directive gives any clues. "Cease all use, uninstall all DJI applications, remove all batteries/storage media from devices, and secure equipment for follow on direction," the missive reads. Its comprehensive nature may indicate fears about data interception or spyware, or could stem from a military penetration test into DJI equipment that unearthed a bug the Army doesn't want others finding and exploiting. That wouldn't be without precedent; in the late 2000s, terrorists famously intercepted unencrypted predator drone video feeds.
It wouldn't necessarily be surprising if the US military concluded that a consumer-grade product was inadequate for military use. As DJI itself notes, the company's drones aren't made with warfare in mind, and mainstream products generally aren't hardened the way military technology is. But the thoroughness of the Army's DJI recall certainly raises questions about what specifically they found—and whether consumer privacy or security could be at risk as well.
